A Tale Of Another SOP Bypass In Android Browser < 4.4
Since, my recent android SOP bypass [CVE-2014-6041] triggered a lot of eruption among the infosec community, I was motivated to research a bit more upon the android browser, it turns out that things are much worse than I thought, I managed to trigger quite a few interesting vulnerabilities inside of Android browser, one of them being another Same Origin Policy Bypass vulnerability. The thing that makes it worse was the same SOP bypass was already fixed inside of chrome years ago, however the patches were not applied to Android browser < 4.4.
Proof Of Concept
The following is the proof of concept:The POC is very easy to understand for individuals having some javaScript background. However, for others let me break it down for you. The above code creates an object with data attribute, which loads up a URL from another origin in this case "http://www.bing.com", however once it's loaded, we replace bing.com with "javascript:alert(document.domain)". The interesting thing here is that the last line is essential for the POC to work object.innerHTML = "foobar"; so that the navigation request is performed
Let's take a look at the vulnerable code that is responsible for the causing the issue:
Vulnerable Code
bool HTMLPlugInImageElement::allowedToLoadFrameURL(const String& url){
ASSERT(document());
ASSERT(document()->frame());
if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames)
return false;
KURL completeURL = document()->completeURL(url);
The above function is responsible for loading up the frame URL, if you take a close look at the code, you would find out that there is no validation for javascript scheme, which allows us to execute javaScript in context of the frame that was loaded.
The fix
The issue was fixed by applying the following checks from securityorigin.h library.if (contentFrame() && protocolIsJavaScript(completeURL)
&& !document()->securityOrigin()->canAccess(contentDocument()->securityOrigin()))
return false;
